Methods for identifying network traffic characteristics to correlate and manage one or more subsequent flows and devices thereof

ABSTRACT

A method, non-transitory computer readable medium, and device that identifies network traffic characteristics to correlate and manage one or more subsequent flows includes transmitting a monitoring request comprising one or more attributes extracted from an HTTP request received from a client computing device and a timestamp to a monitoring server to correlate one or more subsequent flows associated with the HTTP request. The HTTP request is transmitted to an application server after receiving an acknowledgement response to the monitoring request from the monitoring server. An HTTP response to the HTTP request is received from the application server. An operation with respect to the HTTP response is performed.

FIELD

This technology relates to methods for identifying network trafficcharacteristics to correlate and manage one or more subsequent flows anddevices thereof.

BACKGROUND

As enterprise customers deploy more web-based database applications, ITadministrators face several challenges for correlating and managingsubsequent flows. For example, IT administrators would like to provide adata access audit trail which is not always possible. Additionally, ITadministrators would like to be able to monitor and effectively alert orterminate a user session deemed to be misbehaving based on a data orother access policy. Further, IT administrators would like to secureboth application and database environments from threats, such ashttp://www.f5.com/glossary/distributed-denial-of-service-attack.html SQLinjection and cross-site scripting attacks.

SUMMARY

A method for identifying network traffic characteristics to correlateand manage one or more subsequent flows includes transmitting, by atraffic management computing device, a monitoring request comprising oneor more attributes extracted from an HTTP request received from a clientcomputing device and a timestamp to a monitoring server to correlate oneor more subsequent flows associated with the HTTP request. The HTTPrequest is transmitted, by the traffic management computing device, toan application server after receiving an acknowledgement response to themonitoring request from the monitoring server. An HTTP response to theHTTP request is received, by the traffic management computing device,from the application server. An operation with respect to the HTTPresponse is performed, by the traffic management computing device, aftertransmitting a monitoring response message to end the correlationassociated with the HTTP request in response to the monitoring request.

A non-transitory computer readable medium having stored thereoninstructions for identifying network traffic characteristics tocorrelate and manage one or more subsequent flows comprising machineexecutable code which when executed by at least one processor, causesthe processor to perform steps including transmitting a monitoringrequest comprising one or more attributes extracted from an HTTP requestreceived from a client computing device and a timestamp to a monitoringserver to correlate one or more subsequent flows associated with theHTTP request. The HTTP request is transmitted to an application serverafter receiving an acknowledgement response to the monitoring requestfrom the monitoring server. An HTTP response to the HTTP request isreceived from the application server. An operation with respect to theHTTP response is performed.

A traffic management computing device includes a memory coupled to oneor more processors which are configured to execute programmedinstructions stored in the memory including transmitting a monitoringrequest comprising one or more attributes extracted from an HTTP requestreceived from a client computing device and a timestamp to a monitoringserver to correlate one or more subsequent flows associated with theHTTP request. The HTTP request is transmitted to an application serverafter receiving an acknowledgement response to the monitoring requestfrom the monitoring server. An HTTP response to the HTTP request isreceived from the application server. An operation with respect to theHTTP response is performed

This technology provides a number of advantages including providingeffective methods, non-transitory computer readable medium, and devicesthat identify network traffic characteristics to correlate and manageone or more subsequent flows. With this technology, access audit trailscan be generated that are granular at the data level and also tie inattributes from the web application layer. Additionally, this technologycan monitor and effectively alert or terminate a user session deemed tobe misbehaving based on a data access policy. Further, this technologyhelps to secure both application and database environments from threats,such ashttp://www.f5.com/glossary/distributed-denial-of-service-attack.html SQLinjection and cross-site scripting attacks.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an environment with an exemplary traffic management computingdevice that identifies network traffic characteristics to correlate andmanage one or more subsequent flows;

FIGS. 2 and 3 are flow and functional diagrams of a method foridentifying network traffic characteristics to correlate and monitor oneor more subsequent flows to generate an audit trail; and

FIGS. 4 and 5 are flow and functional diagrams of a method foridentifying network traffic characteristics to correlate and manageaccess to one or more subsequent flows.

DETAILED DESCRIPTION

An environment 10 with an exemplary traffic management computing devicethat identifies network traffic characteristics to correlate and manageone or more subsequent flows is illustrated in FIG. 1. The environment10 includes a traffic management computing device 12, a plurality ofclient computing devices 14(1)-14(n), a database monitoring server 16, aweb application server 18, and data servers 20(1)-20(n) which are allcoupled together by one or more communication networks 21(1)-21(4),although this environment can include other numbers and types ofsystems, devices, components, and elements in other configurations. Thistechnology provides a number of advantages including providing effectivemethods, non-transitory computer readable medium, and devices thatidentify network traffic characteristics to correlate and manage one ormore subsequent flows, such as request and/or response flows.

The traffic management computing device 12 provides a number offunctions as illustrated and described with the examples hereinincluding identifying network traffic characteristics to correlate andmanage one or more subsequent flows, although other numbers and types ofsystems can be used and other numbers and types of functions can beperformed. In this example, the traffic management computing device 12includes a central processing unit (CPU) or processor 22, a memory 24,and an interface system 26 which are coupled together by a bus or otherlink, although other numbers and types of systems, devices, components,and elements in other configurations production data storage device 16,and a backup data storage device 18 and locations can be used. Theprocessor 22 executes a program of stored instructions for one or moreaspects of the present technology as described and illustrated by way ofthe examples herein, although other types and numbers of processingdevices and logic could be used and the processor 22 could execute othernumbers and types of programmed instructions.

The memory 24 stores these programmed instructions for one or moreaspects of the present technology as described and illustrated herein,although some or all of the programmed instructions could be stored andexecuted elsewhere. A variety of different types of memory storagedevices, such as a random access memory (RAM) or a read only memory(ROM) in the system or a floppy disk, hard disk, CD ROM, DVD ROM, orother computer readable medium which is read from and written to by amagnetic, optical, or other reading and writing system that is coupledto the processor 22, can be used for the memory 24.

In this example, the interface system 26 in the traffic managementcomputing device 12 is used to operatively couple and communicatebetween the traffic management computing device 12 and the plurality ofclient computing devices 14(1)-14(n), the database monitoring server 16,and the web application server 18, which are all coupled together by oneor more communication networks 21(1), 21(2), and 21(4), although othertypes and numbers of communication networks or systems with other typesand numbers of connections and configurations to other devices andelements, such as communication network 21(3) to communicate with dataservers 20(1)-20(n) could be used. In this illustrative example,application, web application server 18 is coupled to data servers20(1)-20(n) via communication network 20(3). Additionally, by way ofexample only, the one or more the communications networks can use TCP/IPover Ethernet and industry-standard protocols, including NFS, CIFS,SOAP, XML, LDAP, and SNMP, although other types and numbers ofcommunication networks, such as a direct connection, a local areanetwork, a wide area network, modems and phone lines, e-mail, andwireless communication technology, each having their own communicationsprotocols, can be used. In the exemplary environment 10 shown in FIG. 1,three communication networks 21(1)-21(4) are illustrated, although othernumbers and types could be used.

The client computing devices 14(1)-14(n), the database monitoring server16, the web application server 18, and the data servers 20(1)-20(n) eachmay include a central processing unit (CPU) or processor, a memory, andan interface or I/O system, which are coupled together by a bus or otherlink, although each could comprise other numbers and types of elementsand components, such as configured control logic to execute one or moreaspects of this technology. Each of the client computing devices14(1)-14(n) may submit an HTTP request for data or operations from theweb application server 18 through the traffic management computingdevice 12 and may receive HTTP responses, although other numbers andtypes of requests and responses can be transmitted and received andother types and numbers of functions could be performed.

The database monitoring server 16 may interact with the trafficmanagement device 12 to receive one or more attributes extracted fromthe HTTP request along with a timestamp and may use the attributes andtimestamp to correlate one or more subsequent flows associated with theHTTP request to one or more of the data servers 20(1)-20(n), althoughother numbers and types of functions can be performed.

The web application server 18 may receive and process the one or moreHTTP requests or other requests from one or more of the client computingdevices 14(1)-14(n) to execute one or more SQL queries or requests toobtain responsive data or other information from one or more of the dataservers 20(1)-20(n), although other numbers and types of functions canbe performed. Each of the data servers 20(1)-20(n) store content, suchas files and directories, in relational databases and perform otheroperations, although other numbers and types of servers or othercomputing device which could have other numbers and types of functionsand/or store other data could be used.

Although an example of the traffic management computing device 12, theplurality of client computing devices 14(1)-14(n), the databasemonitoring server 16, the web application server 18, and the dataservers 20(1)-20(n) are described herein, other types and numbers ofdevices could be used and each of these devices could be implemented inother configurations and manners on one or more of any suitable computersystem or computing device. It is to be understood that the devices andsystems of the examples described herein are for exemplary purposes, asmany variations of the specific hardware and software used to implementthe examples are possible, as will be appreciated by those skilled inthe relevant art(s).

Furthermore, each of the systems of the examples may be convenientlyimplemented using one or more general purpose computer systems,microprocessors, digital signal processors, and micro-controllers,programmed according to the teachings of the examples, as described andillustrated herein, and as will be appreciated by those ordinary skillin the art.

In addition, two or more computing systems or devices can be substitutedfor any one of the systems in any embodiment of the examples.Accordingly, principles and advantages of distributed processing, suchas redundancy and replication also can be implemented, as desired, toincrease the robustness and performance of the devices and systems ofthe examples. The examples may also be implemented on computer system orsystems that extend across any suitable network using any suitableinterface mechanisms and communications technologies, including by wayof example only telecommunications in any suitable form (e.g., voice andmodem), wireless communications media, wireless communications networks,cellular communications networks, G3 communications networks, PublicSwitched Telephone Network (PSTNs), Packet Data Networks (PDNs), theInternet, intranets, and combinations thereof.

The examples may also be embodied as a non-transitory computer readablemedium having instructions stored thereon for one or more aspects of thepresent technology as described and illustrated by way of the examplesherein, as described herein, which when executed by a processor, causethe processor to carry out the steps necessary to implement the methodsof the examples, as described and illustrated herein.

An exemplary method for identifying network traffic characteristics tocorrelate and monitor one or more subsequent flows to generate an audittrail will now be described with reference to FIGS. 1-3. In step 100,the traffic management computing device 12 monitors for when one of theclient computing devices 14(1)-14(n) performs a login request andsubmits a login form containing username or other login identifier,although other manners for monitoring a login, such as the trafficmanagement computing device 12 providing an initial login page, could beused.

In step 102, the traffic management computing device 12 determineswhether a received user request, such as an HTTP request by way ofexample only, with a username or other login credentials can beassociated with one of the client computing devices 14(1)-14(n),although other types of requests from other types of devices could bereceived. If in step 102, the traffic management computing device 12 cannot associate the received user request with the username or other logincredentials with one of the client computing devices 14(1)-14(n), thenthe No branch is taken to step 104.

In step 104, the traffic management computing device 12 determineswhether this exemplary method should end, such as when the user at theone of the client computing devices 14(1)-14(n) logs out or stopsbrowsing by way of example only, although other manners for determiningwhen this method should end can be used. If in step 104 the trafficmanagement computing device 12 determines this exemplary method shouldend, then the Yes branch is taken to step 106 where this exemplarymethod ends. If in step 104 the traffic management computing device 12determines this exemplary method should not end, then the No branch istaken back to step 102 as described earlier.

If back in step 102, the traffic management computing device 12 canassociate a received user request with a username or other logincredentials with one of the client computing devices 14(1)-14(n), thenthe Yes branch is taken to step 108. For illustration purposes in FIG. 3for this particular example, the user request is provided by the clientcomputing device 14(1), although other types of devices could providethe request.

In step 108, the traffic management computing device 12 extracts aclient identification, such as one or more of a login username, IPaddress, authentication credentials, and an authentication cookie valueby way of example only, a session identification, and one or more valuesfrom the received user request, although other types and amounts of datacan be extracted.

In step 110, the traffic management computing device 12 generates amonitoring request message, shown by way of example only as“asm_request.msg” in FIG. 3. The generated monitoring request messageincludes a timestamp and the extracted client identification, sessionidentification, and one or more values from the received user request,although other types of messages with other data may be generated. Instep 112, the traffic management computing device 12 transmits thegenerated monitoring request to the database monitoring server 16 overan unencrypted TCP socket over a secure internal LAN provided bycommunication network 21(2), although other manners of transmitting thismessage over other types of connections and networks can be used. Oncethe monitoring request has been received by the database monitoringserver 16, the database monitoring server 16 generates and transmits amonitoring acknowledgement response to the traffic management computingdevice 12.

In step 114, the traffic management computing device 12 receives themonitoring acknowledgement response, shown by way of example only as“dbm_ack.msg” in FIG. 3, from the database monitoring server 16.

In step 116, the traffic management computing device transmits thereceived user request to the application server 18. The applicationserver 18 receives the user request forwarded from the trafficmanagement computing device 12 and may issue one or more SQL requestsfor data or other operations from one or more of the data servers20(1)-20(n), although other types and numbers of requests, such as anXML query, XPATH, or an WS security request by way of example only, toother types and numbers of devices could be used. For illustrationpurposes in FIG. 3 for this particular example, the SQL requests fromthe application server 18 are provided to the data server 20(1),although the requests could be transmitted to other devices to obtainthe requested data.

In step 118, with the information in the generated monitoring request,the database monitoring server 16 is now able to monitor and correlatedata flows between the application server 18 and one or more of the dataservers 20(1)-20(n) which are associated with the received user request,although types of flows of requests and/or responses to other types ofservers and computing devices could be monitored and correlated. Thedatabase monitoring server 16 also may apply one or more stored accessor other policies to the data flows between the application server 18and one or more of the data servers 20(1)-20(n), although the access orother policies could be applied to other types of flows to other typesof servers and computing devices. Additionally, the database monitoringserver 16 is able to generate an audit trail associate with the userrequest and the correlated SQL or other requests.

In step 120, the traffic management computing device 12 determineswhether a response to the user request has been received. If in step120, the traffic management computing device 12 determines a response tothe user request has not been received, then the No branch is taken backto step 118 as described earlier and then database monitoring server 16continues to monitor and correlate data flows between the applicationserver 18 and one or more of the data servers 20(1)-20(n). If in step120, the traffic management computing device 12 determines a response tothe user request has been received, then the Yes branch is taken back tostep 122.

In step 122, the traffic management computing device 12 generates andtransmits a monitoring response message, shown by way of example only as“asm_response.msg” in FIG. 3, to the database monitoring server 16. Whenthe database monitoring server 16 receives the monitoring responsemessage it stops any further monitoring and correlation of data flowsbetween the application server 18 and one or more of the data servers20(1)-20(n) for the previously received user request. In step 124, thetraffic management computing device 12 transmits the user responsereceived from the application server 18 to the requesting one of theclient computing devices 14(1)-14(n) which is shown by way of exampleonly in FIG. 3 as client computing device 14(1) and then proceeds tostep 104 as described earlier.

An exemplary method for identifying network traffic characteristics tocorrelate and manage access to one or more subsequent flows will now bedescribed with reference to FIGS. 1, 4 and 5. This exemplary method isthe same as the exemplary method described with reference to FIGS. 1-3,except as illustrated and described herein. Steps in the exemplarymethod described with reference to FIGS. 1, 4, and 5 which are likethose in the exemplary method described earlier with reference to FIGS.1-3, will have like reference numerals and will not be described again.

In step 122, the traffic management computing device 12 generates andtransmits a monitoring response message, shown by way of example only as“asm_response.msg” in FIG. 3, to the database monitoring server 16.However, in this exemplary method the traffic management computingdevice 12 now waits for a subsequent action message from the databasemonitoring server 12 before determining what action to take with respectto the HTTP response to the received user request from one of the clientcomputing devices 14(1)-14(n), which is shown by way of example only inFIG. 5 as client computing device 14(1). The database monitoring server12 can monitor the data flows between the application server 18 and oneor more of the data servers 20(1)-20(n) and generate one or morecommands. In this example, the received action can comprise allowingthis HTTP response to be transmitted to the requesting one of the clientcomputing devices 14(1)-14(n), logging this HTTP response for auditingor other purposes in a memory storage device, reporting this HTTPresponse to one or more designated entities, quarantining or otherwiseblocking this HTTP response from being transmitted to the requesting oneof the client computing devices 14(1)-14(n), if for example an SQLinjection is detected, and terminating this HTTP response, althoughother types and numbers of operations based on a received command can beexecuted. The blocking may be at the web-application level, at the levelof the transaction, or later for the user or user session and thecommands may be based on the data access policy comprising one or moreSQL injection policies in the database monitoring server 16.

In step 126, the traffic management computing device 12 determineswhether an action message, shown by way of example only as“dbm_reply.msg” in FIG. 5, from the database monitoring server 16 hasbeen received. If in step 126, the traffic management computing device12 determines an action message from the database monitoring server 16has not been received, then the No branch is taken back to the start ofstep 126, although other options are available, such as ending thismethod after a set period of time if a command message is not received.If in step 126, the traffic management computing device 12 determines anaction message from the database monitoring server 16 has been received,then the Yes branch is taken to step 128.

In step 128, the traffic management computing device 12 executes thespecified action in the message with respect to the HTTP response to thereceived user request, although other types and numbers of operationscan be performed. As noted earlier, these actions can, by way of exampleonly, include allowing, logging, reporting, quarantining, or terminatingthe response to the received user request. Once the traffic managementcomputing device 12 has completed the action with respect to the HTTPresponse based on the received command, this exemplary method returns tostep 104 as described earlier.

Accordingly, as illustrated and described in the exemplary methodsherein, this technology provides effective methods, non-transitorycomputer readable medium, and devices that identify network trafficcharacteristics to correlate and manage one or more subsequent flows.With this technology, data access audit trails can be generated that aregranular at the data level and also tie in attributes from the webapplication layer. Additionally, this technology can monitor andeffectively alert or terminate a user session deemed to be misbehavingbased on a data access policy. Further, this technology helps to secureboth application and database environments from threats, such ashttp://www.f5.com/glossary/distributed-denial-of-service-attack.html SQLinjection and cross-site scripting attacks.

Having thus described the basic concept of the invention, it will berather apparent to those skilled in the art that the foregoing detaileddisclosure is intended to be presented by way of example only, and isnot limiting. Various alterations, improvements, and modifications willoccur and are intended to those skilled in the art, though not expresslystated herein. These alterations, improvements, and modifications areintended to be suggested hereby, and are within the spirit and scope ofthe invention. Additionally, the recited order of processing elements orsequences, or the use of numbers, letters, or other designationstherefore, is not intended to limit the claimed processes to any orderexcept as may be specified in the claims. Accordingly, the invention islimited only by the following claims and equivalents thereto.

What is claimed is:
 1. A method for identifying network trafficcharacteristics to correlate and manage one or more subsequent flows,the method comprising: transmitting, by a traffic management computingdevice, a monitoring request comprising one or more attributes extractedfrom an HTTP request received from a client computing device and atimestamp to a monitoring server to correlate one or more subsequentflows associated with the HTTP request; transmitting, by the trafficmanagement computing device, the HTTP request to an application serverafter receiving an acknowledgement response to the monitoring requestfrom the monitoring server; receiving, by the traffic managementcomputing device, an HTTP response to the HTTP request from theapplication server; and performing, by the traffic management computingdevice, an operation with respect to the HTTP response aftertransmitting a monitoring response message to end the correlationassociated with the HTTP request in response to the monitoring request.2. The method of claim 1 wherein the performing further comprisesoutputting, by the traffic management computing device, the HTTPresponse to the requesting client computing device.
 3. The method ofclaim 1 further comprising receiving, by the traffic managementcomputing device, a determined action with respect to the HTTP requestfrom the monitoring server which is based on a data access policy,wherein the performing further comprises executing, by the trafficmanagement computing device, the determined action on the HTTP response.4. The method of claim 3 wherein the determined action comprises one ofallowing, logging, reporting, quarantining, and terminating, by thetraffic management computing device, the output of the HTTP response tothe requesting client computing device.
 5. The method of claim 1 whereinthe one or more attributes comprise a client identification and asession identification in the HTTP request.
 6. The method of claim 5wherein the one or more attributes further comprise one or more requestvalues.
 7. A non-transitory computer readable medium having storedthereon instructions for identifying network traffic characteristics tocorrelate and manage one or more subsequent flows comprising machineexecutable code which when executed by at least one processor, causesthe processor to perform steps comprising: transmitting a monitoringrequest comprising one or more attributes extracted from an HTTP requestreceived from a client computing device and a timestamp to a monitoringserver to correlate one or more subsequent flows associated with theHTTP request; transmitting the HTTP request to an application serverafter receiving an acknowledgement response to the monitoring requestfrom the monitoring server; receiving an HTTP response to the HTTPrequest from the application server; and performing an operation withrespect to the HTTP response after transmitting a monitoring responsemessage to end the correlation associated with the HTTP request inresponse to the monitoring request.
 8. The medium of claim 7 wherein theperforming further comprises outputting the HTTP response to therequesting client computing device.
 9. The medium of claim 7 furthercomprising receiving a determined action with respect to the HTTPrequest from the monitoring server which is based on a data accesspolicy, wherein the performing further comprises executing thedetermined action on the HTTP response.
 10. The medium of claim 9wherein the determined action comprises one of allowing, logging,reporting, quarantining, and terminating the output of the HTTP responseto the requesting client computing device.
 11. The medium of claim 7wherein the one or more attributes comprise a client identification anda session identification in the HTTP request.
 12. The medium of claim 11wherein the one or more attributes further comprise one or more requestvalues.
 13. A traffic management computing device comprising: one ormore processors; a memory coupled to the one or more processors whichare configured to execute programmed instructions stored in the memorycomprising: transmitting a monitoring request comprising one or moreattributes extracted from an HTTP request received from a clientcomputing device and a timestamp to a monitoring server to correlate oneor more subsequent flows associated with the HTTP request; transmittingthe HTTP request to an application server after receiving anacknowledgement response to the monitoring request from the monitoringserver; receiving an HTTP response to the HTTP request from theapplication server; and performing an operation with respect to the HTTPresponse after transmitting a monitoring response message to end thecorrelation associated with the HTTP request in response to themonitoring request.
 14. The device of claim 13 wherein the one or moreprocessors is further configured to execute programmed instructionsstored in the memory for the performing further comprises outputting theHTTP response to the requesting client computing device.
 15. The deviceof claim 13 wherein the one or more processors is further configured toexecute programmed instructions stored in the memory further comprisingreceiving a determined action with respect to the HTTP request from themonitoring server which is based on a data access policy, wherein theperforming further comprises executing the determined action on the HTTPresponse.
 16. The device of claim 15 wherein the determined actioncomprises one of allowing, logging, reporting, quarantining, andterminating the output of the HTTP response to the requesting clientcomputing device.
 17. The device of claim 13 wherein the one or moreattributes comprise a client identification and a session identificationin the HTTP request.
 18. The device of claim 17 wherein the one or moreattributes further comprise one or more request values.